Most malware today uses a C&C server based on some form of a web server or an Internet Relay Chat (IRC) channel. In contrast, the MnuBot malware uses a Microsoft SQL Server database server to communicate with the sample and send commands to be executed on the infected machine.

The Brazilian, Delphi-based malware features two components, each in charge of a different phase of a two-stage attack flow.

In its first stage, MnuBot looks for a file called Desk.txt within the AppData Roaming folder.

Depending on whether the file exists or not, MnuBot performs the following:

• If the file doesn’t exist, MnuBot creates the file, creates a new desktop and switches the user workspace to that newly created desktop. This desktop runs side by side to the legitimate user desktop

• If the file exists, MnuBot does nothing

On the newly created desktop, MnuBot constantly checks the foreground window name and, if it finds a name similar to a bank name in its configuration, the malware queries the server for the second stage executable corresponding to that bank name.

The executable, saved as C:\Users\Public\Neon.exe, is a Remote Access Trojan (RAT) that provides the attacker with full control over the target machine. It also includes functionality unique to MnuBot, IBM researchers said.

Once the infection stage has been completed, the malware connects to the C&C server to pull in the initial configuration. The necessary SQL server details, such as server address, port, username and password, are hardcoded inside the malware in an encrypted form (they are decrypted dynamically just before initializing the connection).

Strings in the configuration include queries the malware should perform, supported commands, files to interact with, and targeted bank websites. Should the configuration be missing, MnuBot shuts itself down, meaning no malicious activity is performed on the infected machine.

The attackers can dynamically change MnuBot’s malicious activity by modifying the configuration directly on the server, and can also prevent researchers from reverse engineering the malware sample behavior if the author takes the server down.

Once the user opens the webpage of a targeted website, the second-stage payload provides the malware operator with an open session to the bank’s website, directly from the victim machine.

The malware provides the operator with the ability to create browser and desktop screenshots, log keystrokes, simulate user clicks and keystrokes, restart the victim machine, uninstall Trusteer Rapport from the system, create a form to overlay the bank’s page and steal the data the user enters there.

MnuBot uses a full screen overlay form to prevent users from accessing the legitimate banking website and to trick them into revealing sensitive data. In the background, the malware operator takes control over the system and attempts to perform an illegal transaction via the already opened banking session.